I know we're all dumping on Auditors. Mostly correctly, IMO, based on past experience (due to their arrogance). But the ultimate problem is likely management. Instead of having fully documented company standards and procedures; giving them to the auditor; and telling them to "validate that IT is following these requirements"; they likely just say something vague like "audit IT according to generally accepted IT standards and all applicable legal requirements". (-10 points, sentence too wordy) I.e. management doesn't want to bother either. They just want to check off the "IT has been properly audited" box on some form.
-- John McKown Systems Engineer IV IT Administrative Services Group HealthMarkets(r) 9151 Boulevard 26 * N. Richland Hills * TX 76010 (817) 255-3225 phone * [email protected] * www.HealthMarkets.com Confidentiality Notice: This e-mail message may contain confidential or proprietary information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. HealthMarkets(r) is the brand name for products underwritten and issued by the insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance Company(r), Mid-West National Life Insurance Company of TennesseeSM and The MEGA Life and Health Insurance Company.SM > -----Original Message----- > From: IBM Mainframe Discussion List > [mailto:[email protected]] On Behalf Of Clark Morris > Sent: Friday, August 03, 2012 3:55 PM > To: [email protected] > Subject: Service policies on other platforms Re: Auditors > Don't Know Squat! > > On 3 Aug 2012 13:18:31 -0700, in bit.listserv.ibm-main you wrote: > > >In <[email protected]>, on > >08/02/2012 > > at 02:11 PM, zOSdude <[email protected]> said: > > > >>Our auditors (Feds) say we need to apply all new PTF's > within 30 days > >>of availability. > > > >Ask them for documentation of the requirement, explaining > the probable > >impact on system security and stability, with a cc to their > >management. If you're military, try to get DISA involved. > > Of interest to me and maybe others is what is the policy for applying > Microsoft, Linux, Unix and other operating system fixes to servers in > most organizations? Does this differ from the policies for desktops > and laptops for the organization? Is there a migration between server > environments, system test or equivalent to development to production? > I know at home I normally end up applying all fixes to my Windows > systems although I normally review them before doing the service > install. > > Clark Morris > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
